JPH10269097A - Fault management method by dual processing - Google Patents

Abstract

(57) [Summary] PROBLEM TO BE SOLVED: To maintain the simplification of the configuration and control and to recover autonomously to some extent even if a failure occurs, so that the function of the system can be recovered. SOLUTION: A timer B recognizes that a fault has occurred in the processor B, resets the processor B, and sets a reset start flag. The processor B stores its own failure occurrence in the phase management information area of the common memory 30 based on the flag. Processor A is
When the failure of the processor B is recognized from the phase management information, the system programs A and B are stored in the global data area of the common memory 30. Processor B
Reads the system programs A and B from the common memory 30 into the processor memory B upon execution of the initialization program after the reset, and executes the processing again from the beginning of the system program B.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a fault management system for various systems requiring high reliability, and more particularly to a fault management system based on dual processing using two process units.

[0002]

2. Description of the Related Art In a variety of systems including a communication system, a method of duplicating a system is known as the most general method for improving operation reliability. FIG.
FIG. 1 is a schematic configuration diagram of a conventional system based on such a fault management method, in which a system A (100) and a system B (200) having substantially the same functions as the system A are placed under a control system 300, and When a failure occurs in A, the operation of the system is maintained by activating the system B.

In such a conventional fault management system, a system A that normally functions as an active system, a standby system B that performs a switching operation when a failure occurs in the system A, and a system for switching between these systems. Becomes indispensable, the whole system becomes large-scale, and the control thereof is also complicated.

In addition, as a conventional general fault management system, there has been a dual processor system in which a single system 400 is constructed by using a processor A and a processor B as shown in FIG. In this method, a processor A that performs main processing and a processor B that performs specific processing independently control each other, and the processing is closed by each of the processors A and B. For this reason, if a failure occurs in the processor A, the system cannot transmit and receive information to and from the outside, and the processor B must be inoperable. Similarly, when a failure occurs in the processor B, the processor A cannot obtain the processing result from the processor B, and the processor A eventually falls into an inoperable state.

That is, in the conventional dual processor system, the two processors A and B are in a master-slave relationship to the last, and the normal operation of the other processor in which the fault has not occurred with respect to the faulty processor. Could not be guaranteed, and satisfactory failure management could not be realized.

[0006]

As described above, the conventional representative fault management methods include the system duplication method and the dual processor method. However, the former requires two systems having the same functions. Due to the nature of the system, the system is inevitably enlarged and the control is complicated. In the latter case, when two processors are in a master-slave relationship and one of the processors is stopped due to some kind of failure. On the other hand, the other processor also stops functioning together with the failed processor, so that autonomous recovery cannot be performed unless there is an external operation, and the reliability of the system is reduced.

[0007] The present invention eliminates the above-mentioned problems, and has a simple configuration and control, and even in the event of a failure, it can recover to some extent autonomously and restore the function of the system. The purpose is to provide a management method.

[0008]

According to the present invention, two process units are provided between each of the process units,
A common memory having at least a global data area which can be accessed by each of the process units; and an inter-processor information transmitting / receiving means for transmitting / receiving mutually necessary system programs between the processors through the global data area of the common memory. If any one of the process units fails,
A necessary system program is transferred from the other normal process unit to the failed process unit through the global data area of the common memory, and the system program is re-executed from the beginning according to the initialization program. It is characterized by autonomously restoring a failed process unit.

In the present invention, two process units and two process units are provided corresponding to the respective process units, each of which stores a system program necessary for the operation of the own process unit and the partner process unit. A processor memory, a common memory provided between the processor memories and having a phase management information area, a processor information operation area, and a global data area; detection means for detecting occurrence of a failure in each of the process units; Failure information recording means for recording failure occurrence information in the phase management information area of the common memory corresponding to the process unit in which the error has occurred, and monitoring of the phase management information area of the common memory to generate a failure in each of the process units. Recognition means for recognizing The system program is written to the global data area of the common memory from the processor memory corresponding to the process unit whose failure has not been recognized based on the control information transferred to the processor information operation area of the communication memory as necessary. It is characterized by comprising writing means and restart means for resetting the failed process unit and executing an initial program including a routine for reading a system program in the global data area of the common memory.

In the present invention, two process units are provided:
By having a common memory for transmitting and receiving information between these two process units, a relatively compact system can be constructed, avoiding the remarkable structural increase in the system redundancy and the accompanying complicated control. it can. Further, according to the present invention, even if the function of one process unit is stopped, the autonomous restoration of the function of the entire system can be performed by the return control by the other process unit which is functioning normally, and the conventional dual processing system As a result, it is possible to prevent the whole system from going down due to the stoppage of one processor.

[0011]

Embodiments of the present invention will be described below in detail with reference to the accompanying drawings. FIG. 1 is a block diagram showing a functional configuration of a processor system according to one embodiment of the present invention. This processor system
Two processors A (10) and B (20), each operating independently as an MPU of the system; a timer A (11) for monitoring whether these processors A and B are functioning normally in hardware; A timer B (21), a processor memory A (12) for storing the system programs of the processors A and B,
The processor memory B (22) includes a common memory (30) used for transmitting and receiving information between the processors A and B.

The processor A and the processor B share and execute the processing of the system. Processor memory A
Are provided corresponding to the processor A, as shown in FIG. 2, a processor initialization program 120 common to the processors A and B, a system program A (121) of its own processor, and a partner processor which has failed. System program B (122) for restoring B
And a unique data area 123 unique to the own processor.

On the other hand, the processor memory B is provided corresponding to the processor B, and like the processor memory A (see FIG. 2), an initialization program 220, a system program B (222) of its own processor, And a unique data area 223 unique to the own processor. In each of the processor memories A and B, the initialization program (120, 22)
0) is stored in the ROM, and the execution program / system data and the like are stored in the RAM.

The timer A and the timer B are hardware for monitoring whether or not the adjacent processors A and B function as hardware, respectively. If no access has been made, it is determined that the processors A and B have stopped functioning, that is, a failure has occurred, and the corresponding processors A and B are reset. The processor A and the processor B have a function of recognizing that the processor is in the “starting state”.

The common memory 30 holds information for restoring a failed processor by another normal processor. As shown in FIG. 3, a phase management information area 300 and a processor information operation area 3 are provided.
01, a global data area 302.

Normally, that is, when the processors A and B are functioning normally, the phase management information area 300 of the common memory 30 stores these two processors A and B.
The processor information operation area 301 is used as an area for holding control data between the processors A and B, and the global data area 302 is used in common by the processors A and B. Used as a data storage area.

On the other hand, if a failure occurs in the processor A or the processor B, the area allocation of the common memory 30 changes to the form shown in FIG. 4, and the processor information operation area 301 is used as a transfer control area for the system program. The global data area 302 is used as an area for storing a system program of a failed processor.

Hereinafter, the processing operation of the processor system will be described. First, when the present system is operating normally, each of the processors A and B independently executes a given process. At this time, the common memory 30 is used as a memory for storing global data that is referred to by both the processors A and B (see FIG. 3). Each of the processors A and B monitors the contents of the phase management information area of the common memory 30 at regular intervals, and checks the phases of the other processors B and A.

If any failure occurs in any of the processors during operation of the system, autonomous system restoration is performed by the following control. In this example, the types of the faults are assumed to be a fault at the task level which occurs in the processor A or the processor B when the operating system (OS) is in a normal state, and a fault of the OS itself which is not at the task level. doing.

First, a failure recovery operation when a failure occurs at the task level in the processor A or the processor B while the OS is in a normal state will be described with reference to a flowchart shown in FIG.

During the operation of the system, the OS monitors whether a task failure has occurred in the processor A or the processor B as shown in FIG. 5A (step 501).
Here, for example, when the task being executed by the processor B has a fault (step 501 YES), the OS that recognizes this records the fact that the processor B has faulted in the phase management information area of the common memory 30. (Step 502).

On the other hand, the processor A operating normally at that time checks the phase state of the partner processor B while accessing the phase management information area of the common memory 30 at regular time intervals as shown in FIG. Then, it is monitored whether or not a failure has occurred in the processor B (step 512).

Here, when it is recognized that a fault has occurred in the processor B (step 512 YES), the processor A operating normally operates the system program in the processor memory B of the faulty processor B. B
At the very beginning, a process of obtaining a program counter is performed (step 513).

On the other hand, the processor B in which the fault has occurred
Repeatedly accesses the program counter after the task failure (step 520). Here, if the access is successful (step 521 YES),
According to the program counter, the system program B is re-executed from the beginning (step 522).

As described above, when a failure occurs at the task level, for example, when the processor B falls into a task failure,
The OS recognizes this and records the fact in the phase management information area of the common memory 30, while the normally operating processor A periodically monitors the phase management information to cause the processor B to fail. The system program B (222) of the processor memory B for the processor B is monitored if it has failed.
, The program counter is brought to the beginning, and the processor B is re-executed from the beginning so as to achieve autonomous function recovery.

Next, a failure recovery operation when a failure occurs when the OS itself is stopped, not at the task level, will be described with reference to the flowchart shown in FIG. During the operation of the system, the timers A and B monitor whether there has been no access from the processors A and B for a certain period of time as shown in FIG. 6A (steps 601 to 60).
3) If there has been no access for the predetermined time or more (step 603 YES), the corresponding processors B and A are reset (step 604).

As an example, when the processor B fails, the timer B detects this and resets the processor B. At this time, the timer B sets a flag indicating “rising due to hardware reset” in its own timer (step 605).

On the other hand, the failed processor B
As shown in FIG. 6B, the rising edge (step 61) of the reset process (step 604) by the timer B is performed.
At the time of 0), go to the “rising flag by reset” in the timer B (step 611). here,
If the flag is on (step 612YE)
S), the fact that it has been restarted by a hardware reset is stored in the phase management information area of the common memory 30 (step 613).

Next, the processor B executes the initialization program 220 stored in the processor memory B (step 614). This initialization program 220
Includes a routine for reading the system programs A and B from the common memory 30 at the time of startup by a hard reset. Accordingly, the processor B reads the system programs A and B from the common memory 30 in accordance with the above routine when executing the initialization program 220 in the above step 614 (step 615), and stores them in the processor memory B. The process is executed from the beginning of the own system program B in B (step 616).

The processor A functioning normally is
The phase management information area of the common memory 30 is accessed at regular intervals to check the phase information (step 6).
20, 621), and it is determined whether or not a failure has occurred in the partner processor B based on the check result (step 622).

Here, upon recognizing that the processor B has failed in response to the processing of storing the failure occurrence information in the phase management information area by the processor B relating to the restart due to the hardware reset in the step 613 described above. (Step 622 YES) Then, the processor A sends the common memory 30
To store the system programs A and B in the global data area (step 623).

As described above, when a processor failure occurs when the OS is stopped, for example, when the processor B has a failure, the fact is detected by the corresponding timer B and the timer B is detected.
Starts the processor B in which the fault has occurred by resetting, and then indicates the reset start flag to the processor B, thereby causing the processor B to store its fault occurrence information in the phase management information area of the common memory 30. At the same time, in the processor A which is operating normally, the presence or absence of the failure of the processor B is determined by periodically accessing the phase management information. When the failure of the processor B occurs, the processor memory A corresponding to the own processor A is determined. To store the system programs A and B in the global data area of the common memory.
Then, when the processor B executes the initialization program after storing the fault occurrence information by itself as described above, the processor B includes a routine included in the initialization program (at the time of startup by a hard reset, the system program A, B The system programs A and B are acquired in accordance with a (routine for reading), and the processing is executed from the beginning of the system program B in the system programs B, thereby achieving autonomous function recovery.

[0033]

As described above, according to the present invention,
A common memory is provided between the two process units, and a system program required by the partner process unit is written in the global data area of the common memory by the process unit that has recognized the occurrence of a failure in the partner process unit. Since the system program is re-executed via reset control after the occurrence of the failure, if a failure occurs in one of the process units, the other normal process unit provides the necessary system program and An excellent advantage that the process unit after a reset can be autonomously restored, the structure and control are simple, and even if a failure occurs, the system functions can be restored and high operation reliability can be maintained. Having.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a configuration of a dual processor system according to an embodiment of the present invention.

FIG. 2 is a diagram showing an area configuration of a processor memory of the system in FIG. 1;

FIG. 3 is a diagram showing an area distribution of a common memory during a normal operation of a processor of the system in FIG. 1;

FIG. 4 is a diagram showing area allocation of a common memory when a processor failure occurs in the system in FIG. 1;

FIG. 5 is a flowchart showing the processing operation of each unit of the system in the event of a processor failure at the task level of the system in FIG. 1;

FIG. 6 is a flowchart showing the processing operation of each unit of the system in the event of a processor failure when the OS of the system in FIG. 1 is stopped.

FIG. 7 is a schematic configuration diagram of a conventional system to which a system redundancy system is applied.

FIG. 8 is a schematic configuration diagram of a conventional system to which a dual processor system is applied.

[Explanation of symbols]

 Reference Signs List 10 processor A 11 timer A 12 processor memory A 120 initialization program 121 system program A 122 system program B 123 unique data area 20 processor B 21 timer B 22 processor memory B 220 initialization program 221 system program A 222 system program B 223 unique Data area 30 Common memory 300 Phase management information area 301 Processor information operation area 302 Global data area

Claims (2)

[Claims] 1. A common memory provided between two process units, at least a global data area provided between the respective process units, and accessible by the respective process units. Inter-processor information transmission / reception means for transmitting / receiving system programs required between processors, and when a failure occurs in any one of the process units, the other normal process unit transmits the common memory to the common memory. A necessary system program is transferred to the failed process unit through the global data area, and the failed process unit is autonomously restored by re-executing the system program from the beginning according to the initialization program. This Fault management system by dual processing, wherein. 2. two processor units, two processor memories provided corresponding to the respective process units, each of which stores a system program necessary for the operation of the own process unit and the partner process unit, A common memory provided between the processor memories and having a phase management information area, a processor information operation area, and a global data area; detection means for detecting that a failure has occurred in each of the process units; Failure information recording means for recording failure occurrence information in the phase management information area of the common memory corresponding to the unit; and recognition for recognizing occurrence of a failure in each of the process units by monitoring the phase management information area of the common memory. Means; Writing means for writing the system program from the processor memory corresponding to the process unit whose failure has not been recognized to the global data area of the common memory based on the control information transferred to the processor information operation area as needed And restart means for resetting the failed process unit and executing an initial program including a routine for reading a system program in the global data area of the common memory. Management method.